Wednesday, October 7, 2015

Fortigate configuration files backups ( understanding )

In this post we will look a a configuration file of a typical fortigate and the many means for configuration backup. 1st the configuration is a simple text file that can be read or edit by a reader/edit application ( Vi/Ed/Word/text-editor )

The configuration file for the unit that it was created, has a few key items as shown in the following image.

The unit model and software build, the admin that created the file, and configuration version #s

NOTE: All of these 1st 3 lines are crucial if you ever need to restore a backup on a another unit.

The fortigate allows for you generated a encrypted configuration file. The encryption cipher used in this configuration is unknown and not public knowledge, but you will NOT be able to review or modify the configuration of a encrypted file.e.g encrypted configuration file content

NOTE: This is why I recommend using a local encryption utilities & if you ever need off-appliance storage of a security appliances cfg-files and if you need to securely transmit for others to review such as a "auditor" or "support" engineer. Openssl or GPG would come in handy for this.

Now moving along, the configuration can be backed up via a few simple means

1: locally to a usb drive 2: using a screen capture or buffer capture from your telnet/ssh session 3: via the execution of the backup via the WebGUI

You choice would be determine based on your policy and local environment. Example, a agency I contracted with only allowed ssh access to their fortigates, so your choices for backups was limited.

The backup configuration should always be secured regardless of what method or access you use.

The backup is always named in the following manner; <hostname>_YEAR2DIGITMONTHDATE.conf

This makes for retrieving the backup file very easy and simplified. If the 1st 3 lines of any configuration files are missing or corrupt the configuration file will be ignored and the unit will kick out a error.

The "expect" scripting for me my friend, a simple script with a list of ip_address and a common user/pass for the backup is all you need.

On rancid , it's good and been around for ages and gear'd for the cisco heads but "rconfig" is the new rancid per-se. Greater in function and wider support out of the box & so easy even a caveman can figure it out.